Echoing some proposals by the Biden administration, the measure proposes offering some 2,000 rural and urban safety-net hospitals $800 million over two years to help upgrade their security systems. After two years, the government would spend another $500 million to offer all hospitals incentives to upgrade security systems.
Penalties for all covered providers, insurance companies and business associates that fail to meet standards would start at $500 for those that had no knowledge of vulnerabilities, rising to $5,000 for organizations that had reasonable cause to take precautions, $50,000 for willful neglect they tried to correct, and $250,000 for willful neglect that was not corrected. The health secretary would be permitted to weigh an entity’s size, compliance history, and good-faith efforts in considering penalties.
The bill also would write into law the ability of the Centers for Medicare and Medicaid Services to make advanced payments to providers in the event of a billing interruption, as the agency did to a certain extent in the Change hack.
Several industry groups representing potentially affected parties did not offer comment on the legislation, but hospital associations have been highly critical of past proposals to fine them. They and other providers have argued systems already have a strong incentive to protect themselves, and most do so, while they are not in control of third-party vendors.
"Hospitals are investing significantly in cybersecurity and protecting against attacks that can disrupt care and put patients’ healthcare information at risk is a key priority for our members. Penalizing hospitals that are the victims of sophisticated criminal behavior diverts resources away from improving patient care," said a Federation of American Hospitals spokesperson after publication.
"We appreciate that this bill recognizes the significant costs of cybersecurity and would provide federal support. But we are concerned the proposed penalties would disproportionately harm essential hospitals, which have fewer resources available for the work this bill would require," said Jason Pray, vice president of legislative affairs for America's Essential Hospitals, after publication.
Cyber attacks against healthcare institutions have soared in recent years, with a record number of breaches reported in the first half of 2024.
Lawmakers referenced recent high-profile incidents, including the Change attack, in statements released along with the announcement of the bill's introduction.
“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” said Senate Finance Committee Chair Ron Wyden (D-Ore.). “The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy."
Wyden warned hospital executives at the American Hospital Association conference earlier this year they would have to do better.
Sen. Mark Warner (D-Va.) said penalties were needed to ensure healthcare providers take the needed steps. Warner in March proposed legislation that would tie federal aid to meeting cybersecurity standards.
“With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure healthcare providers and vendors get serious about cybersecurity and patient safety," Warner said.
The measure has the support of the Biden administration.
"Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential," said Health and Human Services Department Deputy Secretary Andrea Palm in a statement, adding the administration was "grateful" for the proposal. Palm last week discussed CMS' five-pronged plan geared toward reducing data breaches, which includes hospital cybersecurity regulations.
When and how the bill would be passed is unclear. Congress left town Thursday until Nov. 12.
To pass this year, the bill would likely have to be included in a package of legislation that lawmakers must pass in the fall to deal with several healthcare proposals, such as expiring health-related programs.